A race condition vulnerability has been identified in the Rust standard library (CVE-2022-21658) in the std::fs::remove_dir_all() function. If this function is used to delete temporary files in a privileged application, an attacker can achieve the deletion of arbitrary system files and directories, which the attacker normally does not have access to delete.
The vulnerability is caused by an incorrect implementation of checking symbolic links before recursively deleting directories. Instead of disabling symbolic links, the remove_dir_all() function first checks to see if the file is a symbolic link. If a link is defined, then it is deleted as a file, and if a directory, then the operation of recursive deletion of the contents is called. The problem is that there is a slight delay between the validation and the start of the delete operation.
At the moment when the check has already been carried out, but the operation of enumerating directories for deletion has not yet begun, the attacker can replace the directory with temporary files with a symbolic link. If it hits at the right time, the remove_dir_all() function will treat the symbolic link as a directory and begin removing the contents that the link points to. Despite the fact that the success of the attack depends on the accuracy of the chosen directory replacement time and hitting the first time at the right time is unlikely, during the experiments, the researchers managed to achieve a repeatable successful attack after the exploit was executed for several seconds.
Vulnerabilities affect all versions of Rust from 1.0.0 to 1.58.0 inclusive. The issue has been fixed in the form of a patch for now (the fix will be included in the 1.58.1 release, which is expected within a few hours). You can follow the elimination of the vulnerability in distributions on these pages: Debian, RHEL, SUSE, Fedora, Ubuntu, Arch, FreeBSD. All users of Rust programs running with elevated privileges using the remove_dir_all function are advised to urgently update Rust to version 1.58.1. Interestingly, the released patch does not solve the problem on all systems, for example, in REDOX and macOS versions prior to 10.10 (Yosemite), the vulnerability is not blocked due to the absence of the O_NOFOLLOW flag, which disables following symbolic links.
Source: opennet.ru